Category Started On Completed On Duration Cuckoo Version
FILE 2018-02-06 16:41:21 2018-02-06 16:51:36 615 seconds 1.2
Machine Label Manager Started On Shutdown On
WindowsXPSP3 WindowsXPSP3 VirtualBox 2018-02-06 16:41:22 2018-02-06 16:51:35

File Details

File name dboardman3_malware2.vbs
File size 9420 bytes
File type ASCII text, with CRLF line terminators
CRC32 A4A8B5E2
MD5 9a1c48b9bfe5d642335bcbb983095994
SHA1 78ee69c2d76ea773f4edbfea51518df455142348
SHA256 f74f124fd033ffc9c6a969ca1286b8a04c6255297852e0ad29ad2effadbbcbb4
SHA512 cc74950902f5d84c5ba4c40cee261ce86c96e34fe2c2b0c1cd5cfc2aef8e656d92083cae802fb476de8418cb8c0e9ad166940aec7b7239e6e20d3d6cab7140a3
Ssdeep 96:FKxvJMJPuSmLKMZkFVomNgFqTQo7p1JwtYny3zhzTnGbDxvx0soARhx62EA56SCT:MxvJmrNFV1NdkoQfRlAEI6h4F93Y
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

Signatures

No signatures matched

Screenshots

Static Analysis

Nothing to display.

Dropped Files

payload.txt

backup_vabian.sys

Sex-Vabian.jpg.lnk

desktop.ini

Network Analysis

Nothing to display.

Behavior Summary

Files
  • PIPE\lsarpc
  • C:\WINDOWS\system32\wscript.exe
  • C:\WINDOWS\Registration\R000000000007.clb
  • C:\DOCUME~1\cuckoo\LOCALS~1\Temp\dboardman3_malware2.vbs
  • C:\DOCUME~1
  • C:\DOCUME~1\cuckoo
  • C:\DOCUME~1\cuckoo\LOCALS~1
  • C:\DOCUME~1\cuckoo\LOCALS~1\Temp
  • C:\WINDOWS\system32\rsaenh.dll
  • C:\Documents and Settings\cuckoo\Local Settings\Temp\dboardman3_malware2.vbs
  • C:\WINDOWS\system32\scrrun.dll
  • C:\WINDOWS\system32\wshom.ocx
  • C:\Documents and Settings\All Users\Desktop\Sex-Vabian.jpg.lnk
  • IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
  • MountPointManager
  • STORAGE#Volume#1&30a96598&0&Signature1010101Offset7E00Length2701AF400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
  • C:\WINDOWS
  • C:\WINDOWS\Vabian.VX
  • C:\Documents and Settings
  • C:\Documents and Settings\cuckoo
  • C:\Documents and Settings\cuckoo\My Documents
  • C:\Documents and Settings\cuckoo\My Documents\desktop.ini
  • C:\Documents and Settings\All Users
  • C:\Documents and Settings\All Users\Documents
  • C:\Documents and Settings\All Users\Documents\desktop.ini
  • C:\Documents and Settings\cuckoo\Desktop
  • C:\Documents and Settings\All Users\Desktop
  • C:\
  • PIPE\srvsvc
  • C:\WINDOWS\
  • C:\Documents and Settings\cuckoo\Start Menu
  • C:\Documents and Settings\cuckoo\Start Menu\desktop.ini
  • C:\Documents and Settings\All Users\Start Menu
  • C:\Documents and Settings\All Users\Start Menu\desktop.ini
  • C:\Documents and Settings\All Users\Application Data
  • C:\Documents and Settings\All Users\Application Data\desktop.ini
  • C:\Documents and Settings\cuckoo\Application Data
  • C:\Documents and Settings\cuckoo\Application Data\desktop.ini
  • C:\WINDOWS\system32
  • C:\Documents and Settings\cuckoo\My Documents\My Pictures
  • C:\Documents and Settings\cuckoo\My Documents\My Pictures\desktop.ini
  • C:\Program Files
  • C:\Documents and Settings\All Users\Documents\My Pictures
  • C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini
  • PIPE\wkssvc
  • C:\Documents and Settings\All Users\Documents\My Music
  • C:\Documents and Settings\All Users\Documents\My Music\desktop.ini
  • C:\Documents and Settings\All Users\Documents\My Videos
  • C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini
  • C:\windows\backup_vabian.sys
  • C:\payload.txt
  • C:\DOCUME~1\cuckoo\LOCALS~1\Temp\*
Mutexes Nothing to display.
Registry Keys
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName
  • ActiveComputerName
  • HKEY_CLASSES_ROOT\.vbs
  • HKEY_CLASSES_ROOT\VBSFile\ScriptEngine
  • HKEY_CLASSES_ROOT\VBScript
  • HKEY_CLASSES_ROOT\VBScript\CLSID
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003_Classes
  • HKEY_LOCAL_MACHINE\Software\Classes
  • \REGISTRY\USER
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID
  • HKEY_CLASSES_ROOT\VBScript\CLSID\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}
  • HKEY_CLASSES_ROOT\VBScript\CLSID\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\TreatAs
  • HKEY_CLASSES_ROOT\VBScript\CLSID\
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServerX86
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\LocalServer32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocHandler32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocHandlerX86
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}
  • HKEY_CLASSES_ROOT\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\TreatAs
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
  • {dda3f824-d8cb-441b-834d-be2efd2c1a33}
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\SOFTWARE\Microsoft\Cryptography\Providers\Type 001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Microsoft\Internet Explorer\Security
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1A610570-38CE-11D4-A2A3-00104BD35090}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllIsMyFileType2
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllPutSignedDataMsg
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllGetSignedDataMsg
  • HKEY_CLASSES_ROOT\VBScript\CLSID\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}
  • HKEY_CLASSES_ROOT\VBScript\CLSID\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}\TreatAs
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}\InprocServer32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}\InprocServerX86
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}\LocalServer32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}\InprocHandler32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}\InprocHandlerX86
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}
  • HKEY_CLASSES_ROOT\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}\TreatAs
  • HKEY_USERS\S-1-5-21-1960408961-789336058-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
  • Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
  • Control Panel\International\Calendars\TwoDigitYearMax
  • HKEY_CLASSES_ROOT\WScript.Shell
  • HKEY_CLASSES_ROOT\WScript.Shell\CLSID
  • HKEY_CLASSES_ROOT\VBScript\CLSID\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
  • HKEY_CLASSES_ROOT\VBScript\CLSID\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServerX86
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocHandler32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocHandlerX86
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
  • HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs
  • HKEY_CLASSES_ROOT\scripting.FileSystemObject
  • HKEY_CLASSES_ROOT\scripting.FileSystemObject\CLSID
  • HKEY_CLASSES_ROOT\VBScript\CLSID\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}
  • HKEY_CLASSES_ROOT\VBScript\CLSID\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TreatAs
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServerX86
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\LocalServer32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocHandler32
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocHandlerX86
  • HKEY_CLASSES_ROOT\VBScript\CLSID\\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}
  • HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TreatAs
  • HKEY_CLASSES_ROOT\TypeLib
  • HKEY_CLASSES_ROOT\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}
  • HKEY_CLASSES_ROOT\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0
  • HKEY_CLASSES_ROOT\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0\0
  • HKEY_CLASSES_ROOT\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0\0\win32
  • HKEY_CLASSES_ROOT\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
  • HKEY_CLASSES_ROOT\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
  • HKEY_CLASSES_ROOT\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
  • HKEY_CLASSES_ROOT\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
  • HKEY_CLASSES_ROOT\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
  • HKEY_CLASSES_ROOT\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win32
  • HKEY_CLASSES_ROOT\VXFile\DefaultIcon
  • HKEY_CLASSES_ROOT\VXFile\ScriptEngine
  • HKEY_CLASSES_ROOT\VXFile\ScriptHostEncode
  • HKEY_CLASSES_ROOT\VXFile\Shell\Open\Command
  • HKEY_CLASSES_ROOT\VXFile\Shell\Play\Command
  • HKEY_CLASSES_ROOT\VXFile\ShellEx\PropertySheetHandlers\WSHProps
  • HKEY_CLASSES_ROOT\.VX
  • HKEY_CLASSES_ROOT\VX\CLSID
  • HKEY_CLASSES_ROOT\wscript.shell
  • HKEY_CLASSES_ROOT\wscript.shell\CLSID
  • HKEY_CLASSES_ROOT\VBScript\CLSID\CLSID\{00021401-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\VBScript\CLSID\CLSID\{00021401-0000-0000-C000-000000000046}\TreatAs
  • HKEY_CLASSES_ROOT\wscript.shell\CLSID\CLSID\{00021401-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\wscript.shell\CLSID\CLSID\{00021401-0000-0000-C000-000000000046}\InprocServer32
  • HKEY_CLASSES_ROOT\wscript.shell\CLSID\CLSID\{00021401-0000-0000-C000-000000000046}\InprocServerX86
  • HKEY_CLASSES_ROOT\wscript.shell\CLSID\CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer32
  • HKEY_CLASSES_ROOT\wscript.shell\CLSID\CLSID\{00021401-0000-0000-C000-000000000046}\InprocHandler32
  • HKEY_CLASSES_ROOT\wscript.shell\CLSID\CLSID\{00021401-0000-0000-C000-000000000046}\InprocHandlerX86
  • HKEY_CLASSES_ROOT\wscript.shell\CLSID\CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\TreatAs
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b602d500-5818-11e5-9f17-806d6172696f}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b602d502-5818-11e5-9f17-806d6172696f}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b602d502-5818-11e5-9f17-806d6172696f}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b602d500-5818-11e5-9f17-806d6172696f}\
  • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
  • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
  • HKEY_CLASSES_ROOT\Directory
  • HKEY_CLASSES_ROOT\Directory\CurVer
  • HKEY_CLASSES_ROOT\Directory\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
  • HKEY_CLASSES_ROOT\Directory\\Clsid
  • HKEY_CLASSES_ROOT\Folder
  • HKEY_CLASSES_ROOT\Folder\Clsid
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.VX
  • HKEY_CLASSES_ROOT\VXFile
  • HKEY_CLASSES_ROOT\VXFile\CurVer
  • HKEY_CLASSES_ROOT\VXFile\
  • HKEY_CLASSES_ROOT\VXFile\\ShellEx\IconHandler
  • HKEY_CLASSES_ROOT\SystemFileAssociations\.VX
  • HKEY_CLASSES_ROOT\VXFile\\Clsid
  • HKEY_CLASSES_ROOT\*
  • HKEY_CLASSES_ROOT\*\Clsid
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\DefaultSecurity
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_CLASSES_ROOT\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\InProcServer32
  • HKEY_CLASSES_ROOT\Outlook.Application
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\App Management
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\App Management
  • HKEY_CURRENT_USER\Software\Microsoft\Notepad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\NOTEPAD.EXE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt
  • HKEY_CLASSES_ROOT\.txt
  • HKEY_CLASSES_ROOT\txtfile
  • HKEY_CLASSES_ROOT\txtfile\CurVer
  • HKEY_CLASSES_ROOT\txtfile\
  • HKEY_CLASSES_ROOT\txtfile\\ShellEx\IconHandler
  • HKEY_CLASSES_ROOT\SystemFileAssociations\.txt
  • HKEY_CLASSES_ROOT\SystemFileAssociations\text
  • HKEY_CLASSES_ROOT\SystemFileAssociations\text\ShellEx\IconHandler
  • HKEY_CLASSES_ROOT\txtfile\\Clsid
  • HKEY_CLASSES_ROOT\SystemFileAssociations\text\Clsid

Processes

registry filesystem process services network synchronization

wscript.exe PID: 220, Parent PID: 1928

NOTEPAD.EXE PID: 964, Parent PID: 220

Volatility

Nothing to display.